To get a trial key
fill out the form below
Team license
Enterprise license
** By clicking this button you agree to our Privacy Policy statement

Request our prices
New License
License Renewal
--Select currency--
USD
EUR
* By clicking this button you agree to our Privacy Policy statement

Free PVS-Studio license for Microsoft MVP specialists
** By clicking this button you agree to our Privacy Policy statement

To get the licence for your open-source project, please fill out this form
** By clicking this button you agree to our Privacy Policy statement

I am interested to try it on the platforms:
** By clicking this button you agree to our Privacy Policy statement

Message submitted.

Your message has been sent. We will email you at


If you haven't received our response, please do the following:
check your Spam/Junk folder and click the "Not Spam" button for our message.
This way, you won't miss messages from our team in the future.

>
>
>
XEE attack (billion laughs attack)

XEE attack (billion laughs attack)

Oct 28 2021

An XEE attack is a type of an application attack. It's also called a billion laughs attack or an XML bombs attack. The essence of this attack is that an insecurely configured XML parser processes external data. As a result of this attack, you may get denial of service (DoS).

Note. XEE and XXE are different attack types. You can read about an XXE attack here

What is an XEE attack?

XML files may contain the document type definition (DTD). DTD allows us to define and use XML entities. Entities can either refer to some external resource or be fully defined inside the document. In the latter case, they can be represented by a string or other entities, for example.

An XML file with examples of such entities:

<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE foo [
  <!ENTITY lol "lol">
  <!ENTITY lol1 "&lol;&lol;">
]>
<foo>&lol1;</foo>

The file contains the 'lol' and 'lol1' entities. The first entity is defined through a string, and the second one — through other entities.  The value of the 'lol1' entity results in the 'lollol' string.

You can increase the nesting and the number of entities. For example, like this:

<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE foo [
  <!ENTITY lol "lol">
  <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
  <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
]>
<foo>&lol2;</foo>

The 'lol2' entity expands as follows:

lollollollollollollollollollollollollollollollollollollollollollollol
lollollollollollollollollollollollollollollollollollollollollollollol
lollollollollollollollollollollollollollollollollollollollollollollol
lollollollollollollollollollollollollollollollollollollollollollollol
lollollollollollollollol

So-called XML bombs are created in a similar way, by increasing the number of nested entities. XML bombs are small files that enlarge when entities are expanded. That's where the name of this attack type comes from:

  • XEE (XML Entity Expansion);
  • billion laughs (because of a multiple repetition of 'lol').

Thus, a hacker can perform a DoS attack with XML bombs if:

  • an attacker can pass an XML bomb to an application;
  • an XML parser that processes this file has an insecure configuration.

Vulnerable code examples

Below is an example of code vulnerable to an XEE attack:

static void XEETarget(String pathToXml)
{
  XmlReaderSettings settings = new XmlReaderSettings()
  {
    DtdProcessing = DtdProcessing.Parse,
    MaxCharactersFromEntities = 0
  };

  using (var xml = File.OpenRead(pathToXml))
  {
    using (var reader = XmlReader.Create(xml, settings))
    {
      while (reader.Read())
      {
        if (reader.NodeType == XmlNodeType.Text)
          Console.WriteLine(reader.Value);
      }
    }
  }
}

In this code fragment, reader parses an XML file. This parser is vulnerable to XML bombs since it was created with insecure settings:

  • DTD processing is allowed. The DtdProcessing property has the DtdProcessing.Parse value;
  • there's no limit on the size of entities. The MaxCharactersFromEntities property has 0.

As a result, the parser may freeze in attempt to parse an XML bomb and start consuming a large amount of memory.

If you want to make a parser resistant to XEE attacks, it is enough to set at least one of the following options for it:

  • prohibit or ignore DTD processing. Set the Prohibit/Ignore value for the DtdProcessing property.
  • set limits on the maximum size of entities.

Below is an example of settings in which the DTD processing is allowed, but the maximum size of entities is limited:

XmlReaderSettings settings = new XmlReaderSettings()
{
  DtdProcessing = DtdProcessing.Parse,
  MaxCharactersFromEntities = 1024
};

If, during the XML file parsing, the size of entities exceeds the set limits, then the XML parser throws an exception of the XmlException type.

Peculiarities of default parser settings

Note that the default settings of some XML parsers may vary in different versions of libraries. For example, Microsoft changed the settings of some XML parsers between .NET Framework 4.5.1 and .NET Framework 4.5.2, making them more secure by default.

Look at the example:

static void XEETarget(String pathToXml)
{
  using (var xml = File.OpenRead(pathToXml))
  {
    var settings = new XmlReaderSettings()
    {
      DtdProcessing = DtdProcessing.Parse
    };

    using (var reader = XmlReader.Create(xml, settings))
    {
      while (reader.Read())
      {
        // Process XML
      }
    }
  }
}

This code fragment is vulnerable to XEE attacks in .NET Framework 4.5.1 and older versions. It does not set limits on entities size — the value of the MaxCharactersFromEntities property is 0. In .NET Framework 4.5.2 and newer versions a limit on entities size is set by default. As a result, this code fragment is resistant to XEE attacks.

Additional links

Comments (0)

Next comments
Unicorn with delicious cookie
Our website uses cookies to enhance your browsing experience.
Accept